Google is rolling out a new feature, called "local user verification," that allows you to log in to both native applications and web services by registering your fingerprint or any other method you've set up to unlock your Android device, including pins, pattern or password.
The newly introduced mechanism, which has also been named "verify it's you," takes advantage of Android's built-in FIDO2 certified security key feature that Google rolled out earlier this year to all devices running Android version 7.0 Nougat or later.
Besides FIDO2 protocol, the feature also relies on W3C WebAuthn (Web Authentication API) and FIDO Client to Authenticator Protocol (CTAP), which are designed to provide simpler and more secure authentication mechanism that sites can use for secure web-based logins.
It should be noted that your fingerprint is never sent to Google servers; instead, the design works by only sharing a cryptographic proof that you've correctly authenticated using the registered platform-bound FIDO credential.
"Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn 'Get' call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature," Google explains in a post published today.
For now, Google has added this functionality to "passwords.google.com," an online platform where you can view and edit your saved passwords.
Users with Android 7.0 (Nougat) or later, can set it up if they have a valid screen lock enabled and Google account added to their devices.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Google is working on expanding and adding this functionality to more Google and Google Cloud services in the near future.
The feature would be useful for people who follow basic security practices of creating strong and unique passwords for each website but face trouble in remembering them.
Besides this, you are also highly recommended to enable two-step verification, including Titan Security Keys and Android phone's built-in security key, for your online accounts that would prevent hackers from gaining access to your accounts even when they have your password.
Google has already started rolling out this new feature for some Android phones, and will make it available for all Android smartphones running Android 7 or later "over the next few days."